This issue is filled with great insights and expert commentary on areas that are relevant to the legal landscape and highlight how the business community is embracing technology, media and telecommunications. There are various topics covered, from new ways of working and digital transformation in the finance sector to data protection regulatory updates and guidance. We also have a series of articles that focus on e-commerce across a number of jurisdictions.
You will also find insights from our lawyers around real estate analytics, tech trends, and data centres.
We hope this edition of Law Update provides some useful food for thought – enjoy the read!Take a read of the edition
The Kingdom of Bahrain’s Law No. 30 of 2018 promulgating the Personal Data Protection Law (‘PDPL’), which came into effect on 1, August 2019, gives data subjects resident in the Kingdom the right to object to decisions made based only on automatic processing (Article 22 of the PDPL).
The banking and finance sector is likely to be impacted by this new statutory right.
An automated process for scoring loans can calculate and score qualitative and quantitative risk factors and weigh each according to the type of loan in order to automatically generate a loan decision.
Automating loan decisions are said to be highly beneficial to the banking and finance sector as a whole for the following reasons:
While described as a ‘right to object’ to decisions based on automated processing, the right granted under Article 22 to individuals (potential borrowers in this scenario) is actually a right to request processing in a manner that is not solely automated.
Article22 (1) states, in part (in its English translation):
“If a decision is based solely on automated processing of personal data intended to assess the data subject regarding his performance at work, financial standing, credit-worthiness, reliability or conduct, then the data subject shall have the right to request processing in a manner that is not solely automated.”
Re-consideration of the automated decision by an human is obligatory in these circumstances and must be done free of charge for the data subject.
The Board of the Personal Data Protection Authority (‘Authority’) is yet to issue a regulation specifying procedures relating to the submission and processing of the request under Article 22. Although, the Minister of Justice, Islamic Affairs and Awqaf has recently been tasked under Decree No. (78) of 2019 with the duties and powers prescribed under the PDPL for the Authority to date, no regulations have been issued regarding Article 22. What remains unclear is, whether in the absence of these processes, data subjects can exercise their rights under Article 22.
Further, the right to object under Article 22 expressly does not apply “in favour of the Data Subject, where the decision is taken in the course of entering into or performance of a contract with the data subject, provided that suitable measures to safeguard his legitimate interests have been taken, such as hearing the data subject’s view.”
It is worth noting that any person who incurs damage arising from processing of their personal data by a data controller (whether by automated means or otherwise) has the right under Article 57 of the PDPL to compel the data controller to pay compensation with a view to repairing the damage.
The right to object only applies to decisions that are based solely on automated processing of personal data. Where a loan decision is not fully automated, the right does not apply.
As noted above, the Authority has not issued any guidance on the application of Article 22(2) of the PDPL. However, this PDPL provision appears to be based on Article (22)(2)(a) and 22(3) of the European
Union’s General Data Protection Regulation (EU) 2016/679 (‘GDPR’).
These equivalent GDPR provisions likely provide some guidance for interpretation of the PDPL. Under the GDPR, a data subject does not have a right to object to a decision based solely on automated means if:
Guidelines for the GDPR produced by the advisory body known as the Article 29 Working Party (or WP29), gives examples of ‘suitable measures’ that enable the data subject to obtain human intervention, express their point of view and contest the decision.
Consequently, if for example, an online bank in Bahrain is offering loans and a decision on whether or not a loan should be offered based on an algorithm is taken, it appears under the PDPL the bank should:
Banks and other financers in the Kingdom of Bahrain do not necessarily use automated loan decisions for every type of loan offering considering that numerous factors make up their business strategies and lending decisions. However, if they do make a decision based solely on an algorithm or other automated process they need to be aware that: